microdroid/system/private/compos.te

# TODO(b/193504816): move this to compos APEX
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;

allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };

# Allow using keystore and authfs_service binder services
binder_use(compos);
use_keystore(compos);
allow compos authfs_binder_service:service_manager find;
binder_call(compos, authfs_service);

# Allow payloads to use and manage their keys
allow compos vm_payload_key:keystore2_key {
    delete
    get_info
    manage_blob
    rebind
    use
};

# Read artifacts created by odrefresh and create signature files.
allow compos authfs_fuse:dir rw_dir_perms;
allow compos authfs_fuse:file create_file_perms;

# Allow locating the authfs mount directory.
allow compos authfs_data_file:dir search;

# Run derive_classpath in our domain
allow compos derive_classpath_exec:file rx_file_perms;
allow compos apex_mnt_dir:dir r_dir_perms;
# Ignore harmless denials on /proc/self/fd
dontaudit compos self:dir write;
# See b/35323867#comment3
dontaudit compos self:global_capability_class_set dac_override;

# Allow domain transition into odrefresh and dex2oat.
# TODO(b/209008712): Remove dex2oat once the migration is done.
domain_auto_trans(compos, odrefresh_exec, odrefresh)
domain_auto_trans(compos, dex2oat_exec, dex2oat)